Troubleshooting Packet Latencies within SE

Overview

SE time flow tracker can track the network characteristics, processing time at key checkpoints and flag queuing delays in a packet journey through the network appliance.

CLI

Configuring Analytics Profile

The following are the configuration used in analytics profile:


> show analyticsprofile System-Analytics-Profile
..
| latency_audit_props                 |                           |
|   latency_audit_mode                | LATENCY_AUDIT_OFF         |
|   latency_threshold                 | 20 milliseconds           |
|   conn_est_audit_mode               | LATENCY_AUDIT_ON          |
|   conn_est_threshold                | 40 milliseconds           |
+-------------------------------------+---------------------------+
Audit Properties Default Description
latency_audit_mode LATENCY_AUDIT_OFF LATENCY_AUDIT_OFF - Default, no latency audit is performed.
LATENCY_AUDIT_ON - Turn on the latency audit with statistics/ counters for flows/ packets breaching the configured threshold.
LATENCY_AUDIT_ON_WITH_SIG - Turn on the latency audit, statistics are updated along with event and significant logs.
latency_threshold 20 msec This enables tracking the dispatcher to proxy latency for each packet if latency_audit_mode is set to LATENCY_AUDIT_ON. This is the threshold above which events, significant logs and metrics are expressed if the per packet latency from dispatcher to proxy is too high.
conn_est_audit_mode LATENCY_AUDIT_ON LATENCY_AUDIT_OFF -No connection establishment audit is performed.
LATENCY_AUDIT_ON - Default, turn on the connection establishment audit with statistics/ counters for flows/ packets breaching the configured threshold.
LATENCY_AUDIT_ON_WITH_SIG - Turn on the connection establishment audit, statistics are updated along with event and significant logs.
conn_est_threshold 40 msec This enables tracking the TCP connection establishment time if conn_est_audit_mode is set to LATENCY_AUDIT_ON. This is the threshold for anomaly detection which is expressed as events, significant logs and metrics if this threshold is breached.se

Notes:

  • Currently, latency_audit_filters is supported only for TCP/IPV4.
  • Time Tracker is toggled off if the CPU Time Stamp Counter (TSC) is variant.
  • Time Tracker Latency Audit now supports auditing egress latency.

Configuring latency_audit_filters in debug Virtual Service

The filters contain all the options offered by VS capture filters. However, latency_audit_filters are functionally independent of capture filters.


> debug virtualservice vs-1
..
[admin:vpr-ctrl1]: debugvirtualservice:latency_audit_filters>
cancel               Exit the current submode without saving
capture_ip           (submode)
capture_ipc          (submode)
do                   Execute a show command
dst_port_end         Destination Port range filter.
dst_port_start       Destination Port range filter.
eth_proto            Ethernet Proto filter.
ip_proto             IP Proto filter. Support for TCP only for now.
new                  (Editor Mode) Create new object in editor mode
no                   Remove field
save                 Save and exit the current submode
show_schema          show object schema
src_port             Source Port filter.
src_port_range_end   Source Port range end filter. If specified, the source port filter will be a range. The filter range will be between src_port and src_port_range_end.
tcp_ack              TCP ACK flag filter.
tcp_fin              TCP FIN flag filter.
tcp_push             TCP PUSH flag filter.
tcp_syn              TCP SYN flag filter.
watch                Watch a given show command
where                Display the in-progress object

Notes The followings are the changes introduced in NSX Advanced Load Balancer 22.1.1 version.

  • Latency audit is now part of se_Group under se_time_Tracker_properties.
  • SE TT latency audit (ingress / egress) is now independent of flow_type.
  • Latency_audit_filters under debug serviceengine are now deprecated.
  • App log and connection log for TT latency_audit is still controlled by a knob under analytics profile (the knob is ingress_sig_log). This is to allow logs generation behaviour to be tweaked independently on each virtual service.

Connection establishment audit is part of analytics_profile > timetracker_properties. TimeTracker has the following two components:

  • se_time_tracker_properties (to audit SE-specific events and counters)
  • time_tracker_properties (to audit virtual service/ANP-specific events and counters)

To check the SE time tracker properties, use the se_time_tracker_props option under the configure serviceenginegroup <se_group_name> command. Below is the sample output for the SE time tracker properties.


| se_time_tracker_props                   |                                                         |
|   ingress_threshold                     | 4 milliseconds                                          |
|   egress_threshold                      | 4 milliseconds                                          |
|   ingress_audit_mode                    | SE_TT_AUDIT_ON_WITH_EVENT                               |
|   egress_audit_mode                     | SE_TT_AUDIT_ON_WITH_EVENT                               |
|   event_gen_window                      | 1 seconds                                               |
| grpc_channel_connect_timeout            | 15                                                      |
+-----------------------------------------+---------------------------------------------------------+

Use the configure analyticsprofile <profile_name> command and the time_tracker_properties option to check the time tracker properties for the selected analytics profile.


| time_tracker_props                              |                                                       |
|   fe_conn_est_audit_mode                        | TT_AUDIT_ON_WITH_SIG                                  |
|   fe_conn_est_threshold                         | 4 milliseconds                                        |
|   be_conn_est_audit_mode                        | TT_AUDIT_ON_WITH_SIG                                  |
|   be_conn_est_threshold                         | 4 milliseconds                                        |
|   ingress_sig_log                               | True                                                  |
+-------------------------------------------------+-------------------------------------------------------+

Below is the default values for the Time Tracker and SE Time Tracker properties.

default

default-time

Metrics and Logs

The framework supports metrics, events and logs. These are configurable.

Metrics at SE level

Metrics at VS level

Events

Note: The threshold is set to 0 in this example.

Significant Logs (When Latency_Audit is enabled)

The detailed timing and flow characteristics will be present in Connection/App Log.

Key Changes Introduced in Avi Vantage 22.1.1 Version

The following are the changes introduced for the Events options in the NSX Advanced Load Balancer 22.1.1 version.

  • TT Event generation option is now configurable under se_timetracker_properties.
  • Virtual Service details is not supported under the TimeTracker Event.
  • The maximum value of the ingress/egress latency (within an event window) is now published on the event log.

Use the show serviceengine <SE_NAME> rteringstat command to check Service Engine RteRingstats for Time Tracker :


| num_ingress_latency_exceeded_pkts | 12                        |
| num_egress_latency_exceeded_pkts  | 12                        |

Use the show virtualservice <VS_name> internal command to check the virtual service internal statistics for Time Tracker :


| num_ingress_latency_exceeded_flows  | 2                                                   |
| num_conn_est_time_exceeded_flows_fe | 1                                                   |
| num_conn_est_time_exceeded_flows_be | 1                                                   |